140 likes | 300 Views
Intrusion Prevention System. Group 6 Mu-Hsin Wei Renaud Moussounda. What is IPS. IPS (Intrusion prevention system) Control access to a network Similar to firewall, but different…. What’s the difference?. Traditional firewall – examines header IPS – examines payload as well
E N D
Intrusion Prevention System Group 6 Mu-Hsin Wei Renaud Moussounda
What is IPS • IPS (Intrusion prevention system) • Control access to a network • Similar to firewall, but different…
What’s the difference? • Traditional firewall – examines header • IPS – examines payload as well • DPI (Deep Packet Inspection)
DPI enables IPS to… • Gather more information • Detect certain attack signatures • Control network traffic intelligently - ftp root access (user root) - HTTP content
Tradeoff • Payload - no fixed fields - large in size • Requires high computing resource - CPU - memory • Hardware implementation
IDS vs IPS • Intrusion Detection System (IDS): - DPI - detects - Snort • IPS: - DPI - take action - snort_inline + iptables
Proof of concept • Implement an IPS using: - snort_inline, and - iptables • Test IPS using: - Lab4 firewall configuration - Lab6 imapd buffer overflow
Lab 4 setup • Black - attacker • Protected – victim • Firewall - IPS
How to capture attack? • Attack using buffer overflow string • Long sequence of NOP • snort_inline checks for …90 90 90 90...
Flow • Protected runs vulnerable service • BlackHat attacks • snort_inline captures and tell • iptable block traffic • Protected remains safe
IPS + Lab4 + Lab6 • BlackHat, Protected, and IPS
Implication • One for all • Less dependent on individual server • Vulnerable service made secure • Enhanced security
What you will do in the lab? • Setup machines & install software • Perform first attack without IPS • Perform second attack with IPS enabled • Appreciate IPS/DPI